Home Daily Brief Have Hackers Drained Your Miles And Points During The Pandemic?

Have Hackers Drained Your Miles And Points During The Pandemic?

Have Hackers Drained Your Miles And Points During The Pandemic?
0

Get started on your cybersecurity degree at American Military University.

When was the last time you checked the balances on your favorite travel rewards accounts?

During the pandemic, while Americans have been spending more time at home and less time traveling, cyberthieves have seized the moment by targeting loyalty program miles and points, according to the latest “State of the Internet” report from Akamai Technologies, the global cybersecurity platform.

“The ‘Am I going to check my balance tomorrow and see that it’s zero?’ is legit the first question to ask,” says Steve Ragan, Akamai security researcher and an author of the report. “Imagine the shock of checking your points — you’re a diamond hotel member, or you’ve got elite status on an airline — and you go and check your points, and boom, somebody’s traded them out or sold them.”

Since the Covid-19 lockdowns began in early 2020, Akamai has noticed an uptick in loyalty program accounts being sold on the dark web.

For criminals, the pandemic has provided the perfect storm of opportunity. At the same time people stopped traveling, the terms of their rewards accounts became much more favorable.

“Do you remember when almost all of the airlines, all of the hotels, sent out emails like, ‘Hey, we’re all in this together. We’re going to extend your loyalty program until 2021, and your hotel points won’t expire, and your airline miles won’t expire’?” asks Ragan. “Well, criminals saw those messages, too. Those emails were a giant flag.”

“Criminals were stuck at home, just like the rest of us, and they started going through all their password collections — the old stuff — just to see what was out there.” Ragan is describing one of the most common types of attack, known as credential stuffing.

Between July 2018 and June 2020, Akamai observed more than 100 billion credential stuffing attacks, and more than 63 billion of them targeted retail, travel, and hospitality sectors.

“Hackers take lists of usernames and passwords from other data breaches that have been exposed,” Ragan explains. “Then they take these big lists and then they point them at a service or a brand and they just run that list and they test every single username and password on it to see if there’s anything that’s valid.” From there, the next step would be to either take over your account or sell your credentials to another criminal.

“They pass it up the chain,” says Ragan. “Then somebody puts it together with other packages and they sell your account. Criminals don’t really care what’s done with the account under their control. They just want to make money off of it.”

During the first quarter of this year, says Ragan, “Criminals ramped up their credential stuffing efforts to the tune of hundreds of millions of attempts or attacks a day, sometimes an hour in some verticals. It’s insane.”

One reason that loyalty programs make easy targets is that they have a perception problem, according to the Akamai report. Many consumers don’t think of loyalty and rewards accounts as high risk, so they are more likely to use weak passwords.

That’s a huge mistake, says Ragan. “Make sure that you’re using a unique password that’s relatively long. You can get this done easily by using a password manager.”

A good password manager will also protect you against another common kind of attack. “Phishing has also definitely spiked during the pandemic,” says Ragan.

In a typical phishing scam, you would receive an email from a hacker that was disguised as a trusted brand such as Marriott. You might not recognize that the email is from a phony sender, but a password manager will.

“If you were to open up Marriott’s Bonvoy website and try to log into it, your password manager would realize that’s the correct site, and it would fill out your username and password for you,” explains Ragan. “But if you clicked on a phishing email and went to open up the fraudulent website, it’s not the correct domain. It’s not the same website, so your password manager wouldn’t activate. That visual cue that you’re used to seeing from your password manager would no longer be there. That’s a giant red flag.”

Ragan says he and his colleagues at Akamai are often asked which is the best password manager out there. “Two of the most popular ones on the market are 1Password and LastPass, but Dashlane is also very good. And if you’re a really, really technical user, KeyPass is also a good option,” he says.

“So when it comes to password managers, they are a personal choice,” says Ragan. “Just use the one that you’re most comfortable with, the one that you like most.”

READ MORE

 

This article was written by Suzanne Rowan Kelleher from Forbes and was legally licensed through the Industry Dive publisher network. Please direct all licensing questions to legal@industrydive.com.

Comments

comments